Skip to content

chore(deps): update module go.opentelemetry.io/otel to v1.41.0 [security]#60

Open
felix-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-go.opentelemetry.io-otel-vulnerability
Open

chore(deps): update module go.opentelemetry.io/otel to v1.41.0 [security]#60
felix-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-go.opentelemetry.io-otel-vulnerability

Conversation

@felix-renovate
Copy link
Copy Markdown
Contributor

@felix-renovate felix-renovate Bot commented May 1, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
go.opentelemetry.io/otel v1.39.0v1.41.0 age confidence

OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

CVE-2026-29181 / GHSA-mh2q-q3fh-2475

More information

Details

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links
vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage)
attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

  • canonical: per_req_alloc_bytes=10315458 and p95_ms=7
  • control: per_req_alloc_bytes=133429 and p95_ms=0
proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget.
actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip
PR_DESCRIPTION.md

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

CVE-2026-29181 / GHSA-mh2q-q3fh-2475

More information

Details

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links
vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a41
as-of: 2026-02-04
policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage)
attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

  • canonical: per_req_alloc_bytes=10315458 and p95_ms=7
  • control: per_req_alloc_bytes=133429 and p95_ms=0
proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget.
actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip
PR_DESCRIPTION.md

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)

v1.41.0

Compare Source

Added
  • Add ByteSlice and ByteSliceValue functions for new BYTESLICE attribute type in go.opentelemetry.io/otel/attribute. (#​7948)
  • Apply attribute value limit to the KindBytes attribute type in go.opentelemetry.io/otel/sdk/log. (#​7990)
  • Apply attribute value limit to the BYTESLICE attribute type in go.opentelemetry.io/otel/sdk/trace. (#​7990)
  • Support BYTESLICE attributes in go.opentelemetry.io/otel/trace. (#​8153)
  • Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlptrace. (#​8153)
  • Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlplog. (#​8153)
  • Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlpmetric. (#​8153)
  • Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/zipkin. (#​8153)
  • Add String method for Value type in go.opentelemetry.io/otel/attribute. (#​8142)
  • Add Slice and SliceValue functions for new SLICE attribute type in go.opentelemetry.io/otel/attribute. (#​8166)
  • Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlptrace. (#​8216)
  • Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlplog. (#​8216)
  • Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlpmetric. (#​8216)
  • Support SLICE attributes in go.opentelemetry.io/otel/exporters/zipkin. (#​8216)
  • Apply AttributeValueLengthLimit to attribute.SLICE type attribute values in go.opentelemetry.io/otel/sdk/trace, recursively truncating contained string values. (#​8217)
  • Add Error field on Record type in go.opentelemetry.io/otel/log/logtest. (#​8148)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​8157)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​8157)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​8157)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8157)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​8157)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8157)
  • Add Settable to go.opentelemetry.io/otel/metric/x to allow reusing attribute options. (#​8178)
  • Add experimental support for splitting metric data across multiple batches in go.opentelemetry.io/otel/sdk/metric.
    Set OTEL_GO_X_METRIC_EXPORT_BATCH_SIZE=<max_size> to enable for all periodic readers.
    See go.opentelemetry.io/otel/sdk/metric/internal/x for feature documentation. (#​8071)
  • Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc.
    Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
    See go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/x for feature documentation. (#​8192)
  • Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp.
    Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
    See go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp/internal/x for feature documentation. (#​8194)
  • Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutlog.
    Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
    See go.opentelemetry.io/otel/stdout/stdoutlog/internal/x for feature documentation. (#​8263)
  • Add WithDefaultAttributes to go.opentelemetry.io/otel/metric/x to support setting default attributes on instruments. (#​8135)
  • Add go.opentelemetry.io/otel/semconv/v1.41.0 package.
    The package contains semantic conventions from the v1.41.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.40.0. (#​8324)
  • Add Observable variants of instruments to go.opentelemetry.io/otel/semconv/v1.41.0 package. (#​8350)
  • Generate explicit histogram bucket boundaries from weaver configuration for HTTP and RPC duration instruments in go.opentelemetry.io/otel/semconv/v1.41.0. (#​8002)
Changed
  • ⚠️ Breaking Change: go.opentelemetry.io/otel/sdk/metric now applies a default cardinality limit of 2000 to comply with the Metrics SDK specification recommendation.
    New attribute sets are dropped when the cardinality limit is reached. The measurement of these sets are aggregated into a special attribute set containing attribute.Bool("otel.metric.overflow", true).
    This can break users who relied on the previous unlimited default.
    Set WithCardinalityLimit(0) or the deprecated OTEL_GO_X_CARDINALITY_LIMIT=0 environment variable to preserve unlimited cardinality.
    Note that support for OTEL_GO_X_CARDINALITY_LIMIT may be removed in a future release. (#​8247)
  • ErrorType in go.opentelemetry.io/otel/semconv now unwraps errors created with fmt.Errorf when deriving the error.type attribute. (#​8133)
  • go.opentelemetry.io/otel/sdk/log now unwraps error chains created with fmt.Errorf when deriving the error.type attribute from errors on log records. (#​8133)
  • Set.MarshalLog method in go.opentelemetry.io/otel/attribute now uses Value.String formatting following the OpenTelemetry AnyValue representation for non-OTLP protocols. (#​8169)
  • Optimize go.opentelemetry.io/otel/sdk/metric to return a drop reservoir and short-circuit Offer calls to the exemplar reservoir when exemplar.AlwaysOffFilter is configured. (#​8211) (#​8267)
  • Optimize go.opentelemetry.io/otel/sdk/metric to return a drop reservoir for asynchronous instruments when exemplar.TraceBasedFilter is configured. (#​8286)
Deprecated
  • Deprecate Value.Emit method in go.opentelemetry.io/otel/attribute.
    Use Value.String instead. (#​8176)
Fixed
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Fix gzipped request body replay on redirect in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8135)
  • Fix gzipped request body replay on redirect in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8152)
  • go.opentelemetry.io/otel/exporters/prometheus now uses Value.String formatting for label values following the OpenTelemetry AnyValue representation for non-OTLP protocols. (#​8170)
  • Propagate errors from the exporter when calling Shutdown on BatchSpanProcessor in go.opentelemetry.io/otel/sdk/trace. (#​8197)
  • Fix stale status code reporting on self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp and go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8226)
  • Fix a concurrent Collect data race and potential panic in go.opentelemetry.io/otel/exporters/prometheus when WithResourceAsConstantLabels option is used. (#​8227)
  • Fix race condition in FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by reverting #​7447. (#​8249)
  • Fix FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar to safely handle zero size.
    A capacity check in the constructor initializes the reservoir safely and skips initialization for zero-cap; early returns in Offer() and Collect() ensure no-op behavior. (#​8295)
  • Fix counting of spans and logs in self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc, go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp, go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc, and go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8254)
  • Drop conflicting scope attributes named name, version, or schema_url from metric labels in go.opentelemetry.io/otel/exporters/prometheus, preserving the dedicated otel_scope_name, otel_scope_version, and otel_scope_schema_url labels. (#​8264)
  • Close schema files opened by ParseFile in go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1. (GHSA-995v-fvrw-c78m)
  • Enforce the 8192-byte baggage size limit during extraction/parsing, changing behavior when the limit is exceeded in go.opentelemetry.io/otel/baggage and go.opentelemetry.io/otel/propagation. (#​8222)
  • Fix go.opentelemetry.io/otel/semconv/v1.41.0 to include Attr* helper methods for required attributes on observable instruments. (#​8361)
  • Limit baggage extraction error reporting in go.opentelemetry.io/otel/propagation to prevent malformed or oversized baggage headers from flooding logs. (GHSA-5wrp-cwcj-q835)

v1.40.0

Compare Source

Added
  • Add ByteSlice and ByteSliceValue functions for new BYTESLICE attribute type in go.opentelemetry.io/otel/attribute. (#​7948)
  • Apply attribute value limit to the KindBytes attribute type in go.opentelemetry.io/otel/sdk/log. (#​7990)
  • Apply attribute value limit to the BYTESLICE attribute type in go.opentelemetry.io/otel/sdk/trace. (#​7990)
  • Support BYTESLICE attributes in go.opentelemetry.io/otel/trace. (#​8153)
  • Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlptrace. (#​8153)
  • Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlplog. (#​8153)
  • Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlpmetric. (#​8153)
  • Support BYTESLICE attributes in go.opentelemetry.io/otel/exporters/zipkin. (#​8153)
  • Add String method for Value type in go.opentelemetry.io/otel/attribute. (#​8142)
  • Add Slice and SliceValue functions for new SLICE attribute type in go.opentelemetry.io/otel/attribute. (#​8166)
  • Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlptrace. (#​8216)
  • Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlplog. (#​8216)
  • Support SLICE attributes in go.opentelemetry.io/otel/exporters/otlp/otlpmetric. (#​8216)
  • Support SLICE attributes in go.opentelemetry.io/otel/exporters/zipkin. (#​8216)
  • Apply AttributeValueLengthLimit to attribute.SLICE type attribute values in go.opentelemetry.io/otel/sdk/trace, recursively truncating contained string values. (#​8217)
  • Add Error field on Record type in go.opentelemetry.io/otel/log/logtest. (#​8148)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. (#​8157)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp. (#​8157)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc. (#​8157)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8157)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc. (#​8157)
  • Add WithMaxRequestSize option in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8157)
  • Add Settable to go.opentelemetry.io/otel/metric/x to allow reusing attribute options. (#​8178)
  • Add experimental support for splitting metric data across multiple batches in go.opentelemetry.io/otel/sdk/metric.
    Set OTEL_GO_X_METRIC_EXPORT_BATCH_SIZE=<max_size> to enable for all periodic readers.
    See go.opentelemetry.io/otel/sdk/metric/internal/x for feature documentation. (#​8071)
  • Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc.
    Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
    See go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/x for feature documentation. (#​8192)
  • Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp.
    Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
    See go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp/internal/x for feature documentation. (#​8194)
  • Add experimental self-observability metrics in go.opentelemetry.io/otel/exporters/stdout/stdoutlog.
    Enable with OTEL_GO_X_SELF_OBSERVABILITY=true environment variable.
    See go.opentelemetry.io/otel/stdout/stdoutlog/internal/x for feature documentation. (#​8263)
  • Add WithDefaultAttributes to go.opentelemetry.io/otel/metric/x to support setting default attributes on instruments. (#​8135)
  • Add go.opentelemetry.io/otel/semconv/v1.41.0 package.
    The package contains semantic conventions from the v1.41.0 version of the OpenTelemetry Semantic Conventions.
    See the migration documentation for information on how to upgrade from go.opentelemetry.io/otel/semconv/v1.40.0. (#​8324)
  • Add Observable variants of instruments to go.opentelemetry.io/otel/semconv/v1.41.0 package. (#​8350)
  • Generate explicit histogram bucket boundaries from weaver configuration for HTTP and RPC duration instruments in go.opentelemetry.io/otel/semconv/v1.41.0. (#​8002)
Changed
  • ⚠️ Breaking Change: go.opentelemetry.io/otel/sdk/metric now applies a default cardinality limit of 2000 to comply with the Metrics SDK specification recommendation.
    New attribute sets are dropped when the cardinality limit is reached. The measurement of these sets are aggregated into a special attribute set containing attribute.Bool("otel.metric.overflow", true).
    This can break users who relied on the previous unlimited default.
    Set WithCardinalityLimit(0) or the deprecated OTEL_GO_X_CARDINALITY_LIMIT=0 environment variable to preserve unlimited cardinality.
    Note that support for OTEL_GO_X_CARDINALITY_LIMIT may be removed in a future release. (#​8247)
  • ErrorType in go.opentelemetry.io/otel/semconv now unwraps errors created with fmt.Errorf when deriving the error.type attribute. (#​8133)
  • go.opentelemetry.io/otel/sdk/log now unwraps error chains created with fmt.Errorf when deriving the error.type attribute from errors on log records. (#​8133)
  • Set.MarshalLog method in go.opentelemetry.io/otel/attribute now uses Value.String formatting following the OpenTelemetry AnyValue representation for non-OTLP protocols. (#​8169)
  • Optimize go.opentelemetry.io/otel/sdk/metric to return a drop reservoir and short-circuit Offer calls to the exemplar reservoir when exemplar.AlwaysOffFilter is configured. (#​8211) (#​8267)
  • Optimize go.opentelemetry.io/otel/sdk/metric to return a drop reservoir for asynchronous instruments when exemplar.TraceBasedFilter is configured. (#​8286)
Deprecated
  • Deprecate Value.Emit method in go.opentelemetry.io/otel/attribute.
    Use Value.String instead. (#​8176)
Fixed
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Limit OTLP request size to 64 MiB by default in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp.
    The limit applies before compression, oversized requests are treated as non-retryable errors, and the limit can be configured with the new WithMaxRequestSize option. (#​8157, #​8365)
  • Fix gzipped request body replay on redirect in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp. (#​8135)
  • Fix gzipped request body replay on redirect in go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8152)
  • go.opentelemetry.io/otel/exporters/prometheus now uses Value.String formatting for label values following the OpenTelemetry AnyValue representation for non-OTLP protocols. (#​8170)
  • Propagate errors from the exporter when calling Shutdown on BatchSpanProcessor in go.opentelemetry.io/otel/sdk/trace. (#​8197)
  • Fix stale status code reporting on self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp and go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8226)
  • Fix a concurrent Collect data race and potential panic in go.opentelemetry.io/otel/exporters/prometheus when WithResourceAsConstantLabels option is used. (#​8227)
  • Fix race condition in FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar by reverting #​7447. (#​8249)
  • Fix FixedSizeReservoir in go.opentelemetry.io/otel/sdk/metric/exemplar to safely handle zero size.
    A capacity check in the constructor initializes the reservoir safely and skips initialization for zero-cap; early returns in Offer() and Collect() ensure no-op behavior. (#​8295)
  • Fix counting of spans and logs in self-observability metrics in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc, go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp, go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc, and go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp. (#​8254)
  • Drop conflicting scope attributes named name, version, or schema_url from metric labels in go.opentelemetry.io/otel/exporters/prometheus, preserving the dedicated otel_scope_name, otel_scope_version, and otel_scope_schema_url labels. (#​8264)
  • Close schema files opened by ParseFile in go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1. (GHSA-995v-fvrw-c78m)
  • Enforce the 8192-byte baggage size limit during extraction/parsing, changing behavior when the limit is exceeded in go.opentelemetry.io/otel/baggage and go.opentelemetry.io/otel/propagation. (#​8222)
  • Fix go.opentelemetry.io/otel/semconv/v1.41.0 to include Attr* helper methods for required attributes on observable instruments. (#​8361)
  • Limit baggage extraction error reporting in go.opentelemetry.io/otel/propagation to prevent malformed or oversized baggage headers from flooding logs. (GHSA-5wrp-cwcj-q835)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@felix-renovate felix-renovate Bot added the felix label May 1, 2026
@felix-renovate
Copy link
Copy Markdown
Contributor Author

felix-renovate Bot commented May 1, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 2 additional dependencies were updated

Details:

Package Change
go.opentelemetry.io/otel/metric v1.39.0 -> v1.41.0
go.opentelemetry.io/otel/trace v1.39.0 -> v1.41.0

@felix-renovate felix-renovate Bot requested a review from a team as a code owner May 1, 2026 00:33
@felix-renovate felix-renovate Bot added the felix label May 1, 2026
@felix-renovate felix-renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-vulnerability branch from 0173071 to b4a68b3 Compare May 15, 2026 13:54
@felix-renovate felix-renovate Bot force-pushed the renovate/go-go.opentelemetry.io-otel-vulnerability branch from b4a68b3 to e87e64d Compare May 22, 2026 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

felix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants